CVE-2025-60697

Name of the Vulnerable Software and Affected Versions D-Link DIR-882 Router firmware version DIR882A1 FW102B02

Description A command injection issue exists in the D-Link DIR-882 Router firmware. The sub 4438A4 function within the prog.cgi binary stores user-provided DDNS parameters, ServerAddress and Hostname, in NVRAM using nvram safe set. These values are subsequently retrieved by the start DDNS ipv4 function in the rc binary using nvram safe get and incorporated into DDNS shell commands executed via twsystem() without adequate sanitization. The partial string comparison implemented is insufficient to prevent command injection. An unauthenticated remote attacker can exploit this by sending specially crafted HTTP requests to the router’s web interface, potentially allowing arbitrary command execution on the device.

Recommendations Update to a newer version of the D-Link DIR-882 Router firmware that addresses this issue.